Are optical networks as secure as we think?
By Chris Janson, Optical Product Marketing - Nokia | Posted: 21 March 2016 8:47:42 PM
Twitter | LinkedIn | Facebook | Reddit
OFC provides an annual report on advances in optical capacity, reach, agility and control. Certainly, the advances in components, systems and software are nothing short of amazing since I first attended OFC in 1990. Back then, we were reporting methods and devices to carry analog video along with digital data. We have come so far!
We now trust networks with increasing types and volume of data from all manner of connected devices. That very data has become increasingly valuable to thieves or vandals. Data aggregated from individuals and stored by an enterprise in a data center is a prime target for theft. In 2013, the NSA proved that protecting links between data centers is essential to ensuring integrity of personal and enterprise information. Optical networks are not intrusion proof and so the industry has adopted physical layer encryption using standardized methods such as AES-256 and certified through standards such as FIPS-140-2 or Common Criteria. Yet, is this enough?
Recent cyber attacks have proven that security is never a once-and-done problem, solved with a simple solution. Last year’s attack on a Ukrainian power utility demonstrated that foreign cyber invaders were able to interrupt the operation of another nation’s infrastructure. That attack caught the attention of the world’s cyber security community and led the US DHS to issue mitigation recommendations.
Cyber attacks have forced us to consider the strength of optical network security. While AES-256 may be impossible to hack with the computers of 2016, what about the strength of public key mechanisms? And when will computing advances catch up to the security strength now in place? Quantum computing could provide such a frightening, watershed moment- where commonly used encryption and public key methods are rendered ineffective. Estimates place availability of quantum computing between 10 and 25 years, near term enough that last month, the US NIST issued a Report on Post-quantum Cryptography, in which they stated, “… regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems”. NIST and NAS have changed recommendations for classified information to require 192 bits of security strength for both the encryption algorithm and keys. Just last year, 112 bits of security strength was deemed strong enough for all but top-secret data. Elliott Williams put it this way in a recent blog: “Anyone storing your data now will be able to read it when today’s toddler is enrolling in college”.
I look forward to hearing how the industry will keep pace with minimum security levels as the bar is raised. Encryption is a strong start but will need to be complemented with advanced key algorithms, continuing independent certifications testing and robust design practices. As the threats become more sophisticated, we need to be vigilant to protect the increasing volume and value of business-critical data now being carried on the world’s optical networks.
||Chris Janson work in Optical Product Marketing at Nokia
Posted: 21 March 2016 by
Chris Janson, Optical Product Marketing - Nokia
| with 0 comments